Where plaintiff sent a HIPAA authorization with his pre-suit notice that was HIPAA compliant but authorized the disclosure of records, rather than the obtaining of records, the Court of Appeals ruled that he substantially complied with the HCLA.
In Short v. Metro Knoxville HMA, LLC, No. E2018-02292-COA-R3-CV (Tenn. Ct. App. Aug. 23, 2019), plaintiff filed a healthcare liability claim against various medical providers related to the treatment of his late wife during her pregnancy. Plaintiff gave timely pre-suit notice to all the relevant defendants, including a notice letter, a list of providers, and “an authorization to disclose Decedent’s entire medical record to each listed provider.” The letter listed relevant providers and stated that “a substantially similar notice” was being sent to each of them pursuant to the HCLA. The letter further provided that a HIPAA authorization was included “authorizing you to obtain complete medical records from” the relevant providers. The letter also stated that plaintiff was not waiving the “common law physician patient privilege,” and that he expected the recipient to “not communicate with any person, other than your attorney, about the care and treatment” of decedent. On the actual HIPAA authorization, plaintiff wrote that the provider was “authorized to make the disclosure” of the “entire record” to the listed providers “for the purpose of a legal matter.”

Defendants filed motions to dismiss, arguing that the HIPAA authorizations were not compliant with the requirements of the HCLA. The trial court granted the motions, finding that the authorizations were HIPAA compliant but did not satisfy the HCLA. The trial court found that in order to comply with the HCLA, “an authorization, even if HIPAA compliant, must permit medical providers ‘to obtain’ medical records,” and that the authorizations in this case “simply authorized the health care providers to make a disclosure.” The Court of Appeals reversed.

The Court of Appeals began its analysis by reiterating that “not every failure to comply perfectly with [the HCLA section on HIPAA authorizations] is fatal to a healthcare liability plaintiff’s case.” Instead, “a reviewing court should consider the extent and significance of the plaintiff’s errors and omissions and whether the defendant was prejudiced by the plaintiff’s noncompliance.” (internal citation omitted). In this case, the Court ruled that plaintiff substantially complied with the HCLA.

The Court specifically noted that the authorizations here were HIPAA compliant, and that the letter told each defendant that all other listed providers had received similar notices, so as to “allow each listed medical provider to obtain complete medical records from every other provider.” The Court also pointed out that there is no such thing as a “standard model HIPAA authorization.”

Addressing defendants’ argument that the authorizations only permitted the release of documents, not the obtaining of documents, the Court reasoned:

The term ‘obtain’ is not magical. If an authorization permits a defendant to obtain medical records but does not say ‘obtain,’ it is compliant all the same. Had defendants requested records from the other providers, each of whom received their own similar authorization, they would have received the records. There can be no dispute that Defendants knew this from the clear language of the notice letter. Defendants incurred no prejudice from Plaintiff’s action.

Of note, the Court also stated:

This Court has rejected the proposition that a health care liability defendant has a duty to assist a plaintiff achieve compliance or to test whether an obviously deficient HIPAA form would allow the release of records. We believe the converse is true, as well. That a healthcare liability defendant has no duty to test an obviously deficient HIPAA form does not mean that such a defendant should succeed in getting the lawsuit dismissed by refusing to act on a perfectly valid, or ostensibly valid, HIPAA authorization…. Defendants’ failure to request medical records from the listed providers on the basis of an unfounded hypothetical exposure to legal penalties when Plaintiff provided a completely viable means from them to safely obtain the records was unreasonable.
(internal citations and quotations omitted).

The Court stated that “[t]o obtain the medical records necessary for their defense in the lawsuit, all Defendants had to do was ask the other listed medical providers for them, and they and their attorneys knew it.” The Court accordingly reversed dismissal of the case and held that HIPAA authorizations substantially comply with the HCLA if “(1) they are sufficient to enable those medical providers to obtain the patient’s medical records from each other simply by requesting them, and (2) the listed medical providers are informed in the required written notice that all they have to do is ask the other listed medical providers for the records to obtain them because HIPAA authorizations have been furnished to the other providers allowing them to disclose the patient’s records.”

Judge Frierson wrote a dissent here, stating that he believed past precedent in Parks v. Walker, No. E2017-01603-COA-R3-CV (Tenn. Ct. App. Nov. 28, 2018), meant that the HIPAA authorizations here were not substantially compliant. While the majority opinion distinguished this case from Parks, both the majority opinion and the dissent suggested in footnotes that this issue should be taken up by the Tennessee Supreme Court, so it will be interesting to see if that happens.

Within the domain of HCLA pre-suit notice cases, the HIPAA authorization component still seems to be the most litigated part of the statute. This opinion was a well-reasoned approach to this topic that will hopefully survive further appeal.

NOTE: To aid lawyers in giving clients guidance about how long it takes to receive an opinion after oral argument in the appellate courts, we are going to start sharing that information with readers. Please understand that the length of time that elapses between oral argument and the date the opinion is released is dependent on a multitude of factors, not the least of which is the complexity of the issues presented. In this case, the opinion was released just over one month after oral argument.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.